100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities
Researchers at Forescout and JSOF have identified 9 vulnerabilities in Internet-connected devices that could be exploited in denial-of-service and remote code execution attacks. The flaws have been identified in certain implementations of the Domain Name System (DNS) protocol in TCP/IP network communication stacks.
The flaws are mostly due to how parsing of domain names occurs, which can breach DNS implementations, and problems with DNS compression, which devices use to compress data to communicate over the Internet using TCP/IP.
This class of vulnerabilities has been named NAME:WRECK. They affect common IoT and operational technology systems, including FreeBSD, IPnet, Nucleus NET, and NetX. While the use of these IoT/OP systems does not necessarily mean devices are vulnerable, many will be. The researchers suggest that around 1% of IoT devices are likely to be susceptible to the flaws, which is more than 100 million devices worldwide.
Vulnerable devices are used in a range of industry sectors, including healthcare, retail, manufacturing, and the government, with healthcare organizations and government agencies two of the top three worst affected sectors. Fortunately, the vulnerabilities are not straightforward to exploit. A malicious packet must be sent in response to a legitimate DNS request, so exploitation would require a man-in-the-middle attack or the use of an exploit for a different vulnerability between the target device and the DNS server. E.g., DNSpooq.
The 9 vulnerabilities are detailed in the table below, along with the products and TCP/IP stacks affected:
|Vulnerability CVE||Stack||Impact||CVSS Score|
|CVE-2016-20009||IPnet||Remote Code Execution||9.8|
|CVE-2020-15795||Nucleus NET||Remote Code Execution||8.1|
|CVE-2020-27009||Nucleus NET||Remote Code Execution||8.1|
|CVE-2020-27736||Nucleus NET||Denial of Service||6.5|
|CVE-2020-27737||Nucleus NET||Denial of Service||6.5|
|CVE-2020-27738||Nucleus NET||Denial of Service||6.5|
|CVE-2020-25677||Nucleus NET||DNS Cache Poisoning||5.3|
|CVE-2020-7461||FreeBSD||Remote Code Execution||7.7|
|Awaiting CVE||NetX||Denial of Service||6.5|
The flaws range in severity, with the most serious vulnerabilities rated critical. The vulnerabilities can also be chained. For example, with CVE-2020-27009, an attacker can craft a DNS response packet and write arbitrary data in sensitive parts of the memory. CVE-2020-15795 allows the attacker to craft meaningful code to be injected, and CVE-2021-25667 allows a bypass of DNS query-response matching to deliver the malicious packet to the target.
FreeBSD is also used in pfSense firewalls and network appliances such as Check Point IPSO and McAfee SecurOS. NetX is used in wearable patient monitors such as those manufactured by Welch Allyn. Nucleus NET is used extensively in healthcare devices, including ZOLD defibrillators and ZONARE ultrasound machines. The flaw in FreeBSD is of particular concern as the network stack is used in many embedded devices and millions of higher performance IT servers, including those used by major websites such as Yahoo and Netflix.
The flaws could be used for extortion in denial-of-service attacks on mission-critical systems, to steal sensitive data, or could allow modifications to devices to alter functions and could cause significant damage. Since vulnerable devices are used in heating, ventilation, lighting, and security systems, critical building functions could also be tampered with.
While patches have now been released to correct the flaws, applying those patches may be problematic. Many of the vulnerable affected internet-enabled devices are used to control mission-critical applications that are always running and cannot easily be shut down.
Mitigating NAME:WRECK Vulnerabilities
The first stage is to identify all vulnerable devices. Forescout is developing an open-source script that can be used to fingerprint all vulnerable devices. Devices will not be protected until the patches are applied, so after identifying all vulnerable devices, mitigations should be implemented until the patches can be applied. Those measures should include device and network segmentation, restricting external communication with vulnerable devices, and configuring the devices to run internal DNS servers. Network traffic should also be monitored for malicious packets attempting to exploit the vulnerabilities and other flaws in DNS, mDNS, and DCHP clients.
Patches have been released for FreeBSD, Nucleus NET, and NetX and device manufacturers, including Siemens, have already started releasing patches to correct the flaws in their products.